Hi: 2017-08-16 6:59 GMT+02:00 Vinoth Raja <rbvdvin...@gmail.com>: > Hi Chris, > > In the above conversation, the server presents the list of acceptable > client certificates to the client. Does that happen for you? > > [ Yes . It prints the list of acceptable certificate when > certificateVerification is set to required. It prints the acceptable > certificates from cacerts.
Sorry for this semi-offtopic , but I'm interested about the list of DN of CA sent by TLS server in SERVER HELLO message. I mean the list under "Acceptable client certificate CA names" header (output text in Cris' mail ) How I can set it in Tomcat 8.5 ? Does it works either JSSE & native TLS ? How is the client behaviour if it doesnt have an certificate signed by an "acceptable CA" ? Thanks and regards > Application is not reachable from browser once certificateVerification is > set to required. It shows "ERR_BAD_SSL_CLIENT_AUTH_CERT". > I have tried setting different trustStore from setenv.bat but doesnt seems > to take effect] > > >> Can I set the truststore in SSLContext before making outbound call? >> will it trust the client request. > > What outbound call? Tomcat only handles incoming HTTP/TLS connections. > [i meant the web service call. yes I am talking about trusting the incoming > TLS connection] > > On Wed, Aug 16, 2017 at 12:34 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Vinoth, >> >> On 8/15/17 11:42 AM, Vinoth Raja wrote: >> > clientAuth="true" Is not valid attribute for connector in tomcat >> > 8.5.15. I have tried setting certificateVerifucation as required >> > but application URL is not reachable and it was complaining about >> > certificate. >> >> Does the browser prompt for a certificate? >> >> If you use "openssl s_client -connect [hostname]:[port]" does the >> connection show that trusted certificates are presented? >> >> For example: >> >> $ openssl s_client -connect host:port >> >> CONNECTED(00000003) >> [server certificate] >> >> Acceptable client certificate CA names >> /CN=client-certificate1 >> /CN=client-certificate2 >> ... >> Requested Signature Algorithms: >> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS >> A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ >> SHA1:DSA+SHA1:ECDSA+SHA1 >> Shared Requested Signature Algorithms: >> RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RS >> A+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+ >> SHA1:DSA+SHA1:ECDSA+SHA1 >> Peer signing digest: SHA512 >> Server Temp Key: ECDH, P-256, 256 bits >> - --- >> SSL handshake has read 2582 bytes and written 138 bytes >> - --- >> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 >> Server public key is 4096 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : ECDHE-RSA-AES256-GCM-SHA384 >> Session-ID: >> Session-ID-ctx: >> Master-Key: [session key] >> Key-Arg : None >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> Start Time: 1502814654 >> Timeout : 300 (sec) >> Verify return code: 10 (certificate has expired) >> - --- >> [DISCONNECT] >> >> In the above conversation, the server presents the list of acceptable >> client certificates to the client. Does that happen for you? >> >> > Can I set the truststore in SSLContext before making outbound call? >> > will it trust the client request. >> >> What outbound call? Tomcat only handles incoming HTTP/TLS connections. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmTIpIACgkQHPApP6U8 >> pFga/g/8DIfIj6QoCQeMaMu3EoPJO2VjCHfCj11OoxXMkWr3NRlbXPkmtEYo6lQ6 >> qBeokSYok+OrLXlY6EM40ofq5rU/5kTzNf4kb116d5na8gz+9DoaVaDC5S+LNzjH >> dKSu2eQXSZA+6OHSo55mH0AGQ1dyY9sZlySCqEJpOSYZMx61lZLz3NjUZqZEZ1wH >> BYeLv1VXHhnB59oyEJNuSaUBlST7iinjfGya/T16/H61gQCV3Sz+aIkmv1IWT82A >> kVYK7UasYg119wKk/2lJskYqloULngGWIbdZo+BrGoSyvBs0BKipErgSBIKwVFVD >> KmTsXPzrftnSmvKuTJgI45QiEYLtWqzVsJof8q2oaGId+KnPJl+HiOAhvIXFaYg5 >> 3zsZfi9JRZwJu59CYwew+UVX/+ogwMhjDMgCMsceaGaXqiTwni0T95s2GqSbbUwr >> HSwzXiyCHs7Kh8foWSmrDbrS0OZ1Rs3BvR2vhHMpmvjLxSMbtY0QwUK9arzmcRxJ >> +PWlUlAkZaILcwLo5GR1LVNZzx71l5gYcC8FHQZkeBTmH8Rzedvi5riu2g6suRC2 >> T37R0u1iZ7iQTWNH0jLCHZyOWwy1La0fD7t6er7oB3Rq1F+2njNw/gIkLwRWni3V >> YQo+KjoHP5v9ao7tA6Qjs76vqfnj9r1C7IplYeCEbecTnLNTF/w= >> =0zTG >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org